[CMS-11480] Behavioral change in Tomcat URL encoding validation - Issues

XML

Word

Printable

Details

Type: Task
Status: Closed
Priority: Top
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: 10.2.14, 11.2.10, 12.5.1, 12.6.0, 13.0.0
Component/s: None
Labels:
None

Story Points:
8
Epic Link:
Tiger Team Maintenance
Processed by team:
Tiger

Description

In Apache Tomcat, 62273 support for non-compliant URL's was added but at the same time made it the default to throw a error/return 400 status when an URL contains invalid/not-encoded characters.

This will cause 400 error when for example the URL contains [2] instead the required %5B2%5D.

Steps to reproduce

Create archetype project and add Events using Essentials
Go to localhost:8080/cms/console and browse to [events/2018/09/breakfast/breakfast|http://localhost:8080/cms/console/?1&path=/content/documents/myhippoproject/events/2018/09/breakfast/breakfast[2]]
Notice the [2] shown in the address bar, refresh the browser
This causes a 400 status error

Exception logged as in [1]

This change is in all main versions:

trunk for 9.0.8 onwards
8.5.x for 8.5.31 onwards
8.0.x for 8.0.52 onwards
7.0.x for 7.0.87 onwards

To be investigated in what places we use URL's that have invalid/not-encoded characters and fix by properly encoding them. One place in the the console browsing nodes containing [2] style parts.

To be investigated if there is a broader impact from this change in Tomcat and if/what needs to be documented.

These Tomcat releases introduced the relaxedPathChars/relaxedQueryChars attributes for the HTTP connector to relax the validation for specific characters. It is not wise to use this without care, for example the '|' characters was blocked in an earlier release as it may expose the server to CVE-2016-6816

Alternative could be to validate/properly encode the path & query in the router

[1]

[INFO]  22-Sep-2018 23:09:22.651 INFO [http-nio-8080-exec-5] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
[INFO]   java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
[INFO]          at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:479)
[INFO]          at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687)
[INFO]          at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[INFO]          at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
[INFO]          at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
[INFO]          at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[INFO]          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[INFO]          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[INFO]          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[INFO]          at java.lang.Thread.run(Thread.java:748)
[INFO]

Attachments

Issue Links

causes

CMS-11481 Console, CMS nor repository servlet do not encode path set in the browser address bar

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Arent-Jan Banck (Inactive)

Owner:: Hippo Helpdesk

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 23/Sep/18 12:19 PM

Updated:: 26/Mar/21 1:26 PM

Resolved:: 26/Mar/21 1:26 PM